Asymmetric cryptography in the random oracle model. Gregory Neven IBM Zurich Research Laboratory

Transcription

1 Asymmetric cryptography in the random oracle model Gregory Neven IBM Zurich Research Laboratory

2 Overview Provable security: the concept Digital signatures and the Random Oracle Model Public-key encryption in the ROM 2

3 The concept Until mid-1980s: cryptography as a craft security = resistance against known attacks + vague intuition why hard to break (if any) assumed secure until broken More recently: provable security 1. clear, well-stated goal, aka security notion usually defined via game with adversary 2. clear, well-stated assumption usually hard mathematical problem (e.g. factoring) or security of underlying building block 3. rigorous mathematical proof only way to break scheme is by breaking assumption 3

4 Security notions What does it mean for the scheme to be secure? Often many desirable properties So what is the right security notion? Good security notion implies all/most/many/some of the intuitive desiderata is achievable often takes time to settle down in community Several good notions can coexist Formalized by means of game with adversary e.g. digital signatures pk A M,σ A wins if σ is valid signature for M 4

5 Information-theoretic vs. computational security Information-theoretic security No restrictions on A s resources Advantage zero (perfect) or negligible (statistical) No underlying computational assumptions Completely excludes attacks! Computational security A s resources are bounded e.g. max running time, max #queries, Security relative to an underlying assumption e.g. hardness of factoring, security of AES, Attacks possible, but require scientific breakthrough 5

6 Asymptotic vs. concrete security Asymptotic security Running time of A is polynomial in security parameter k (e.g. key length) Advantage is negligible function in k meaning c k c : Adv(A) < 1/k c for all k > k c Scheme is secure iff Adv(A) is negligible for all A with running time poly(k) Concrete security Running time of A is at most t steps Advantage is at most ε Scheme is (t,ε)-secure iff Adv(A) < ε for all A running in time at most t 6

7 Assumptions Number-theoretic assumptions hardness of factoring one-wayness of RSA hardness of computing discrete logarithms Cryptographic assumptions AES is a pseudo-random permutation SHA-1 is a collision-resistant hash function 7

8 Security proofs Usually by contradiction: Given A against scheme, build B against assumption A pk M,σ B N pk A M,σ p,q Asymptotic security notion If exists poly-time A with non-negligible Adv scheme (A) then exists poly-time B with non-negligible Adv assumption (B) Concrete security If exists A that (t,ε)-breaks the scheme then exists B that (t,ε )-breaks assumption for t f(t), ε g(ε) 8

9 Limitations of provable security Provable unbreakable Security only relative to assumption better name: reductionist security Adversary stepping outside the model e.g. side-channel attacks Flawed proofs (cryptographers are only human) Implementation errors (so are programmers) Still, important tool to gain confidence by understanding compare schemes when deciding on industry standards 9

10 Overview Provable security: the concept Digital signatures and the Random Oracle Model Public-key encryption in the ROM 10

11 Syntax of digital signatures Digital signature scheme DS = (Kg, Sign, Vf) where Key generation: (pk, sk) R Kg Signing: σ R Sign(sk, M) Verification: 0/1 Vf(pk, M, σ) Correctness Vf(pk, M, Sign(sk, M)) = 1 11

12 Security of digital signatures Desirable properties Given pk, hard to compute sk Given M, hard to compute σ such that Vf(pk, M, σ) = 1 Given σ for M, hard to compute σ for M Unforgeability under chosen-message attack pk A M i σ i Sign(sk, ) (pk,sk) R Kg (M,σ) R A Sign(sk, ) (pk) A wins iff Vf(pk,M,σ)=1 and M / {M 1,,M N } M,σ Adv uf-cma (A) = Pr [ A wins ] DS 12

13 Textbook RSA signatures Kg: N = pq where p,q primes, p = q = k e,d such that e d = 1 mod (p-1)(q-1) pk (N,e) ; sk (N,d) Sign(sk,M): (assume M Z*) N σ M d mod N Vf(pk,M,σ): Check that σ e = M mod N pk Are these uf-cma secure? A M i σ i Sign(sk, ) M,σ 13

14 Textbook RSA signatures Kg: N = pq where p,q primes, p = q = k e,d such that e d = 1 mod (p-1)(q-1) pk (N,e) ; sk (N,d) Sign(sk,M): (assume M Z*) N σ M d mod N Vf(pk,M,σ): Check that σ e = M mod N Are these uf-cma secure? No! σ=1 always valid for M=1 choose σ, compute M σ e mod N homomorphic: valid (M 1,σ 1 ) and (M 2,σ 2 ) valid (M 1 M 2,σ 1 σ 2 ) 14

15 RSA-FDH Fix: assume full-domain hash function H : {0,1}* Z* σ H(M) d mod N Check that σ e = H(M) mod N What do we need/expect/hope to get from H? preimage of 1 hard to find one-wayness: hard to choose σ, compute M H -1 (σ e ) collision-resistance: hard to find M, M such that H(M) = H(M ) destroy algebraic structure: hard to find M 1,M 2,M 3 such that H(M 1 ) H(M 2 ) = H(M 3 ) mod N These are necessary properties, but are they sufficient? N 15

16 RSA PKCS #1 v1.5 Public Key Cryptography Standards (PKCS) by RSA Labs: H PKCS (M) = FF FF 00 h(m) where h is collision-resistant hash, e.g. SHA-1 Seems to prevent attacks, but provably secure? Candidate assumption: one-wayness of RSA N,e,y A x x R Z* N y x e mod N x R A(y) ow Adv RSA (A) = Pr [ y = (x ) e mod N ] Invert H PKCS (M) versus invert random element of Z* N Range of H PKCS is only fraction 1/2 864 of Z* N So RSA may be one-way yet invertible on H PKCS (M)! 16

17 Random oracle model Theory: give all parties (good & bad) access to random oracle = truly random function H: {0,1}* Z* consistent with previous queries ( dynamically built table) Practice: replace random oracle with hash function N pk A M H(M) M i σ i H( ) Sign H (sk, ) (pk,sk) R Kg (M,σ) R A H( ),Sign(sk, ) (pk) A wins iff Vf H( ), (pk,m,σ)=1 and M / {M 1,,M N } Adv uf-cma (A) = Pr [ A wins ] DS M,σ 17

18 The power of random oracles pk N,e,y A M H(M) M i σ i H( ) Sign H (sk, ) B A M H(M) M i σ i M,σ x Random oracle model is stronger than collision-resistant hash function hash: computable RO: unpredictable until queried pseudo-random function: PRF: secret key unknown to A RO: publicly accessible 18

19 Random oracle model: pros & cons Pros efficient, practical schemes clear security notion, some security guarantee (definitely better than ad-hoc design) excludes generic attacks (if scheme and hash function are independent ) Cons weaker security guarantee than standard model (contrived) counterexamples exist [CGH98] 19

20 Security of RSA-FDH Theorem: If RSA is (t,ε) one-way, then RSA-FDH signatures are (t,q H,q S,ε ) unforgeable in the random oracle model for t = t (q H + q S ) t exp ε = (q H + q S + 1) ε 20

21 Security proof of RSA-FDH Step 1: A makes one query H(M), forges on M N,e,y N,e B A M H(M) H( ) A M M, σ = H(M) d M,σ x 21

22 Security proof of RSA-FDH Step 1: A makes one query H(M), forges on M N,e,y N,e B N,e A M H(M) H( ) A M y M, σ = H(M) d M, σ = y d x = σ B(N,e,y): Run A(N,e), answering H(M) = y Until A outputs M,σ Return x = σ ε = ε', t t' 22

23 Security proof of RSA-FDH Step 2: A makes two queries H(M 1 ), H(M 2 ), forges on M i N,e,y B N,e A M 1 y M 2 y B(N,e,y): Run A(N,e), answering H(M 1 ) = y H(M 2 ) = y Until A outputs M,σ Return x = σ M, σ = y d x = σ Glitch!!! 23

24 Security proof of RSA-FDH Step 2: A makes two queries H(M 1 ), H(M 2 ), forges on M i N,e,y B N,e A M 1, σ = y d M 1 y M 2 h B(N,e,y): i* R {1,2} Run A(N,e), answering H(M i* ) = y H(M 3-i* ) = h R Z* N Until A outputs M i,σ If i i* then abort Return x = σ x = σ ε = ε' 2, t t' 24

25 Security proof of RSA-FDH Step 3: A makes q H queries H(M i ), forges on some M i (assume wlog M i all different, A queries H(M i ) before forging) B(N,e,y): i* R {1,,q H } Run A(N,e), answering H( ) using HSim( ) Until A outputs M i,σ If i i* then abort Return x = σ HSim(M i ): If i=i* then h i y Else h i R Z N * Return h i ε = ε' q + 1 H, t t' 25

26 Security proof of RSA-FDH Step 4: Signing queries (assume wlog M i all different, A queries H(M i ) before Sign(M i ) and forging) B(N,e,y): i* R {1,,q H } Run A(N,e), answering H( ) using HSim( ) Until A outputs M i,σ If i i* then abort Return x = σ HSim(M i ): If i=i* then h i y Else x i R Z N * h i x ie mod N Return h i SSim(M i ): If i=i* then abort Else return x i ε = q H ε' + q S + 1, t t' + (q H + q S ) t exp 26

27 Other signature schemes in the ROM RSA-PSS tight reduction from one-wayness of RSA alternatively use Katz-Wang, ACM CCS 2005 Bernstein, Eurocrypt 2008 Fiat-Shamir and variants factoring, RSA, discrete log, proof using forking lemma 27

28 Overview Provable security: the concept Digital signatures and the Random Oracle Model Public-key encryption in the ROM 28

29 Syntax of public-key encryption Public-key encryption scheme PKE = (Kg, Enc, Dec) where Key generation: (pk,sk) R Kg Encryption: C R Enc(pk,M) Decryption: M/ Dec(sk,C) Correctness: Dec(sk, Enc(pk,M)) = M 29

30 Chosen-plaintext security Desirable properties Given pk, hard to compute sk Given C, hard to compute M Given C, hard to compute last bit, parity, of M Security notion: IND-CPA = indistinguishability under chosen-plaintext attack pk A b (pk,sk) R Kg (M 0,M 1,state) R A(pk) where M 0 = M 1 M 0,M 1 b R {0,1} ; C* R Enc(pk,M b ) C* b R A(C*,state) A wins iff b = b Adv ind-cpa (A) = 2 Pr [b =b] 1 PKE = Pr[b =1 b=1] Pr[b =1 b=0] 30

31 Textbook RSA encryption Kg: N = pq where p,q primes, p = q = k e,d such that e d = 1 mod (p-1)(q-1) pk (N,e) ; sk (N,d) Enc(pk,M): C M e mod N Dec(sk,C): M C d mod N pk Is textbook RSA IND-CPA secure? A b M 0,M 1 C* 31

32 Textbook RSA encryption Kg: N = pq where p,q primes, p = q = k e,d such that e d = 1 mod (p-1)(q-1) pk (N,e) ; sk (N,d) Enc(pk,M): C M e mod N Dec(sk,C): M C d mod N Is textbook RSA IND-CPA secure? No! deterministic, so A can re-encrypt and compare if e = 3 and M < N 1/3 then Dec(C) = C 1/3 32

33 RSA PKCS#1 v1.5 M = random padding data 64 bits Seems to prevent attacks But provably secure? Unlikely: decisional IND-CPA game (output bit b) vs. computational one-wayness of RSA (output x Z* N) Insecure against stronger attacks: see later 33

34 The RSA-CPA scheme Kg: N = pq where p,q primes, p = q = k e,d such that e d = 1 mod (p-1)(q-1) H : Z N {0,1} m pk (N,e) ; sk (N,d) Encrypt(pk,M): x R Z N ; y x e mod N z H(x) M Return C = (y,z) Decrypt(sk,C): x y d mod N Return M = H(x) z 34

35 Security of RSA-CPA Theorem: If RSA is (t,ε) one-way, then RSA-CPA is (t,q H,ε ) IND-CPA secure in the random oracle model for ε = ε t = t q H t exp Proof idea: If A does not query H(x*) then C* is independent of m b pk A x H(x) M 0,M 1 C* H( ) B A N,e,y* x H(x) M 0,M 1 C* b x* 35

36 Proof of RSA-CPA (sketch) B(N,e,y): Run A(N,e), answering H( ) using HSim( ) Until A outputs M 0,M 1 z R {0,1} n ; C (y,z) Run A(C), answering H( ) using HSim( ) Until A outputs b Abort HSim(x): If x e = y mod N then Output x Else Return h R {0,1} n Let Q be event that A queries H(x*) ε = 2 ( Pr[ b=b Q ] Pr[Q] + Pr[ b=b Q ] Pr[ Q] ) 1 1 = ε = 1/2 1 2 ( ε + 1/2 ) 1 = 2 ε 36

37 Chosen-ciphertext security Stronger security notion: IND-CCA = indistinguishability under chosen-ciphertext attack pk (pk,sk) R Kg C Dec(sk, ) (M 0,M 1,state) R A Dec (pk) where M 0 = M 1 M b R {0,1} ; C* R Enc(pk,M b ) A M 0,M 1 C* C C* Dec(sk, ) M b R A Dec (C*,state) A wins iff b = b and never queried Dec(C*) Adv ind-cpa (A) = 2 Pr [b =b] 1 PKE = Pr[b =1 b=1] Pr[b =1 b=0] b Motivation: lunch-time attacks authenticated key exchange protocols 37

38 IND-CCA security of RSA-CPA Is RSA-CPA also IND-CCA secure? No! (y,z) encrypts M (y, z R) encrypts M R Do we care? Sealed-bid auction: outbid competitor at minimum price competitor submits (y,z) cheater submits (y, z 0 01) Joint random string generation: two parties encrypt random R 1, R 2 common random string R = R 1 R 2 attack: always force R = S first party submits (y,z) cheater submits (y, z S) 38

39 Bleichenbacher attack Is RSA PKCS#1 v1.5 IND-CCA secure? M = random padding data 64 bits Decryption: reject if padding incorrect Bleichenbacher 1998: No! Given oracle to test correct PKCS#1 formatting decrypt any C using to queries Such oracle is present in many crypto protocols, including SSL! PKCS#1 v2.0 adopted provably secure RSA-OAEP (Optimal Asymmetric Encryption Padding) 39

40 The RSA-CCA scheme Toy version of RSA-OAEP: less efficient, but simpler proof Kg: N = pq where p,q primes, p = q = k e,d such that e d = 1 mod (p-1)(q-1) H : Z N {0,1} m ; G : Z N {0,1} m {0,1} n pk (N,e) ; sk (N,d) Encrypt(pk,M): x $ Z N ; y x e mod N z H(x) M ; t G(x,z) Return C = (y,z,t) Decrypt(sk,C): x y d mod N If G(x,z) t then return Else return M = H(x) z 40

41 Security of RSA-CCA Theorem: If RSA is (t,ε) one-way, then RSA-CCA is (t,q D,q H,q G,ε ) IND-CCA secure in the random oracle model for ε = ε q D /2 n t = t (q H + q G + q D ) t exp Proof idea: If A does not query H(x) or G(x,z) then challenge ciphertext is independent of m b Answer decryption queries (y,z,t) by looking up t among previous responses of G 41

42 Other encryption schemes in the ROM RSA-OAEP based on one-wayness of RSA standardized in PKCS#1 v2.0, widely used DHIES CCA-secure variant of ElGamal Fujisaki-Okamoto transform CPA CCA security 42